More nginx config dehardcoding. Did some sshd hardening.

2019-03-24 22:55:17 +01:00 · 2019-03-24 22:55:17 +01:00 · e745bdea3d
parent 66ca5839e5
commit e745bdea3d
5 changed files with 15 additions and 7 deletions
--- a/machines/Lilim/options.nix
+++ b/machines/Lilim/options.nix
@ -29,9 +29,9 @@ with lib;
      "xpkgs"
    ];
    services = [
-#      "containers"
+      "containers"
      "xserver"
-#      "docker"
+      "docker"
      "udev"
      "cups"
    ];
--- a/services/containers.nix
+++ b/services/containers.nix
@ -18,6 +18,8 @@ mkIf (elem "containers" config.machine.services) {
          ../pkgs/nixpkgs.nix
          ../pkgs/pkgsets.nix
        ];
+      services.nixosManual.showManual         = false;
+      services.ntp.enable                     = false;
      };
  };
 }
--- a/services/mailserver.nix
+++ b/services/mailserver.nix
@ -5,10 +5,10 @@ with lib;
 mkIf (elem "mailserver" config.machine.services) {
  mailserver = rec {
    enable = true;
-    fqdn = "mail.ophanim.de";
-    domains = [ "ophanim.de" ];
+    fqdn = "mail.${config.machine.domain}";
+    domains = [ config.machine.domain ];
    loginAccounts = {
-        "derped@ophanim.de" = {
+        "derped@${config.machine.domain}" = {
            hashedPassword = (builtins.readFile /secret/derped.mail);
        };
    };
--- a/services/nginx.nix
+++ b/services/nginx.nix
@ -2,6 +2,7 @@
 # Includes:                                                                                  #
 #   - Nginx + SSL config                                                                     #
 #   - Gitea                                                                                  #
+#   - Hydra                                                                                  #
 #   - Nextcloud                                                                              #
 #   - Mail ssl root                                                                          #
 ##############################################################################################
@ -33,7 +34,7 @@ mkIf (elem "nginx" config.machine.services) {
        forceSSL = true;
        extraConfig = ''
          location / {
-            proxy_pass http://127.0.0.1:3001;
+            proxy_pass http://${config.services.hydra.listenHost}:${config.services.hydra.port};
            proxy_set_header Host $http_host;
            proxy_set_header REMOTE_ADDR $remote_addr;
            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
@ -163,7 +164,7 @@ mkIf (elem "nginx" config.machine.services) {

          location @node {
            client_max_body_size 0;
-            proxy_pass http://localhost:3000;
+            proxy_pass http://${config.services.gitea.httpAddress}:${config.services.gitea.httpPort};
            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
            proxy_set_header X-Real-IP $remote_addr;
            proxy_set_header Host $http_host;
--- a/services/openssh.nix
+++ b/services/openssh.nix
@ -9,13 +9,18 @@ with lib;
 mkIf (elem "openssh" config.machine.services) {
  services.openssh = {
    enable = true;
+    kexAlgorithms = [ "curve25519-sha256@libssh.org" ];
    sftpFlags = [ "-f AUTHPRIV" "-l INFO" ];
    startWhenNeeded = true;
    challengeResponseAuthentication = false;
    passwordAuthentication = false;
    permitRootLogin = "no";
    extraConfig = ''
+        UsePAM no
+        UseRoaming no
        AllowUsers derped git nix-ssh
+        UsePrivilegeSeparation sandbox
+        LogLevel VERBOSE
    '';
  };
 }